Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

The FTC Revised COPPA Rule: Reflections After a Night to Sleep on It

Yesterday saw dozens of instant summaries of the Federal Trade Commission’s long- awaited revision to the Children’s Online Privacy Protection Act (COPPA) Rule, which becomes effective on July 1, 2013.  We took a night “to sleep on it,” in order provide not just a summary, but some focused comments about the impact of yesterday’s rule amendments.

One over-arching observation we have is even though the revised Rule shows the FTC took into account the many comments submitted by affected parties on earlier drafts, the revised Rule still will impose greater burdens on industry than the current Rule, and determining whether an Internet service is covered by COPPA is not an easy task.  Indeed, a court challenge to aspects of the revised Rule is not out of the question. 

Professor Eric Goldman of the University of Santa Clara School of Law was more pointed when he observed today:

[T]he new rules are a real mess.  They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

And in the 24 hours since the FTC’s COPPA announcement, some are saying that the amended Rule may be counterproductive, lessening the quality and scope of content directed specifically to children, which may encourage more children to visit general audience sites.

With that as background, we turn to some of the specifics:

Ad Networks and the Use of Plug-Ins

Operators of child-directed online services, including websites and mobile apps, will be strictly liable for the collection of under-13 children’s personal information from their services, even by third-party ad networks and plug-in providers that engage in such collection on the underlying service.  Third-party ad networks and plug-in providers will themselves be liable for collecting children’s personal information only if they have actual knowledge that they are collecting information from child-directed services.

Strict liability for primary content online services

Under the new Rule, child-directed sites and services that allow third-party plug-ins or ad networks to collect personal information from a child under the age of 13 on their website or through their service must comply with COPPA’s parental notice-and-consent requirements – even if personal information is only being collected through the plug-in incorporated in the site or service.  The Commission concluded that these third party plug-ins and ad networks collect personal information for the primary-content services’ benefit or interest and therefore act on their behalf even though they may not be the services’ agents or service providers, or even have a close working relationship with the services.  That these third parties enhance a service’s functionality and help to drive traffic to the service, thereby contributing to the service’s viability, is enough for the Commission to hold the underlying service responsible for a violation. 

Despite the attempt at precision, there is a real prospect of litigation over the statutory definition of “operator,” and the meaning of an entity operating “on whose behalf” information is collected.     

The Commission rejected any safe harbor for websites or apps that engage in due diligence reviews of these third parties.  The Commission maintained that parents need to have one entity to turn to, and the primary-content site or service is best positioned to be that entity and to provide notice and obtain consent. 

The issue of holding primary content online services strictly liable is the one part of the Rule about which Commissioner Ohlhausen expressed dissent.  She argued that operators of child-directed websites should not be liable for a third-party plug-in’s collection of children’s information merely because the operators reap some benefit from using the plug-ins.  The benefit may be, according to Ohlhausen, wholly unrelated to the collection of children’s personal information. 

The Commission did respond to a number of commenters’ concerns by clarifying that operators of platforms, such as the App Store or Google Play, that offer access to child-directed content without creating or controlling the content are not covered by the new Rule.  As such, they will not be liable for providing access to child-directed apps or other services that collect information from children.  This is consistent with Section 230 of the Communications Decency Act, which provides immunity for Internet intermediaries for a range of third-party conduct.  As discussed below, platforms can likely play a role in helping apps obtain parental consent. And they will be able to do so without fear of COPPA liability.      

Third party social plug-ins and ad networks as co-operators – actual knowledge

As proposed in the 2012 supplemental notice of proposed rulemaking released in August and discussed here, third-party providers and ad networks would be required to comply with COPPA if they had knew or had reason to know that they were collecting personal information from children under the age of 13.  Many commenters, especially those from industry, indicated that this standard was too burdensome and could potentially require all entities that provide plug-ins to comply with COPPA.  The FTC responded to these concerns in its amended rule by requiring ad networks and third-party plug-in providers to comply with COPPA’s notice-and-consent requirements only if they have actual knowledge that they are collecting personal information through a child-directed website or service.

Notably, the “actual knowledge” standard could be interpreted broadly.  For example, the FTC notes that the actual knowledge standard is subject to a highly fact-specific inquiry.  The Commission believes that a third-party plug-in provider or advertising network would likely be deemed to have actual knowledge if the provider of child-directed content communicated the nature of its content to the third party or a representative of the third party recognized the child-directed nature of the content.  But the FTC does acknowledge that other facts might be sufficient to establish actual knowledge. 

The amended Rule leaves questions as to where the FTC will draw the line for what constitutes “actual knowledge.”  It may be obvious that a website associated with a children’s TV show is directed at children.  But, at what point does the third-party plug-in provider gain knowledge about the nature of that website?  Can a developer of a plug-in that makes that plug-in generally available for incorporation into websites ever have actual knowledge?   

Industry is also left to wonder what obligations an ad network or plug-in provider has once it discovers that it has been collecting personal information on a child-directed service.  Will it be enough for the provider to cease collecting personal information from children?  Or will the provider have to engage in some sort of remediation or deletion of previously collected data, even though it may not be apparent what information the provider holds that relates to children under 13?  Will the provider have any liability for failing to comply with COPPA for the period before they had actual knowledge?  Will the result be that innovative features like social plug-ins will not be available on child directed services and that at least some children will migrate to other services?

Persistent Identifiers: the Broadening of “Personal Information”

The FTC has made it clear that behavioral advertising to children across websites is not permitted without receiving parental consent.

As expected, the new Rule broadens the definition of “personal information” to include persistent identifiers – including IP addresses, unique device identifiers, and tracking information stored on cookies – even when they are not associated with individually identifiable information.  While limited to COPPA, this is a dramatic shift when compared to most US privacy regimes.   Under the current COPPA Rule, persistent identifiers are considered personal information only if they associated with other personal information. 

The amended Rule differs from the proposed rules in treating persistent identifiers as personal information only if the identifiers can be used to recognize users over time and across different services.  The Commission suggests that services will be treated as different if they are unrelated to each other or if the affiliate relationship is not clear to users.  A children’s toy company could therefore use an identifier designed to track how children interact with the company’s website or register the child’s intra-site preferences without parental consent.  But the company could not, without parental consent, use an identifier that could track a user’s activities on a website promoting SUVs, even if the toy company owned the SUV site.

Under the amended Rule, operators need not obtain parental consent before collecting, using, or disclosing persistent identifiers if they are collected solely for supporting the internal operations of the service and no other personal information is collected along with it.  The new Rule, like the FTC’s former proposals, recognizes the service of contextual advertising as supporting the internal operations of a service.  Contextual advertising is the practice of delivering ads based on the content of the website or service on which the ad is presented – e.g., sports ads are delivered to sports sites and ads for parkas are delivered to services informing users about cold weather.  Behavioral advertising, which delivers ads based on information about the user rather than information relating to website’s content, is not recognized as supporting the internal operations of a service. 

The FTC responded to industry comments by expressly recognizing frequency capping – limiting the number of times a user is presented with an ad– as supporting the internal operations of a website. 

Even though the new Rule allows persistent identifiers to be used to deliver contextual advertising and track the frequency of ads delivered on a service, it limits the tools available for ad networks working with child-directed services.  Absent parental consent, ad networks will not be able to use a persistent identifier to track how many times a child has viewed an ad on different sites.  Operators can track what a child does within a website, but they will need consent to track across sites.  This limits the utility of frequency capping because the effectiveness of an ad depends upon how often it is seen, not just on how often it is seen on one website. 

Though contextual advertising is allowed on children’s sites, the FTC has made clear that behavioral advertising requires parental consent.  This likely means that ad networks will stop serving behavioral ads on child-directed sites as the burdens of and costs associated with receiving parental consent will likely make it difficult for ad networks to generate revenue by serving ads on websites directed to children.  Because contextual advertising tends to generate less revenue than behavioral ads, the net effect of the new Rule may be that there is less content, or a decrease in quality of content, for kids.

In addition to persistent identifiers, the FTC added other data elements to its definition of personal information, including geolocation information, screen names or user names if they enable the direct contacting of children, and photographs, videos, and audio files.

E-mail Plus Is Here to Stay . . . For Now

The FTC has chosen to keep the popular “e-mail plus” mechanism for consenting to internal uses of children’s personal information, but the Commission is pushing industry to adopt other mechanisms. 

In its proposals, the FTC suggested eliminating the e-mail plus option, which allows operators that collect personal information only for internal use to obtain parental consent for the collection of that information via e-mail plus an additional step.  The additional step confirms the parent’s email consent by sending a delayed confirmation e-mail, sending a letter, or calling the parent’s phone number.  Although the FTC recognizes that children may be able to circumvent e-mail plus – perhaps by providing false e-mail address – the Commission chose to keep the consent mechanism because of its wide use and the reduced risks associated with purely internal uses of personal information. 

The FTC closes its discussion of e-mail plus by strongly encouraging industry to create new consent mechanisms as quickly as possible and expressing concern that e-mail plus is outdated.  The Commission’s language suggests that e-mail plus may be reconsidered in the future. 

New Notice-and-Consent Requirements

The new Rule adopts the notice requirements established in the 2011 NPRM (see description in our earlier blog post here).  The new requirements streamline what operators must include in their notices and are designed to give parents information needed to make informed decisions.

The FTC rejected proposals to expressly permit common platform consent mechanisms.  These mechanisms would allow platform providers (e.g., gaming consoles, device manufacturers, app stores) to obtain parental consent for multiple operators simultaneously.  The platform providers could provide a general notice of collection practices, and parents could consent to all services running on the platform that conform to those collection practices.  The FTC recognizes the benefits of these mechanisms, but was reluctant to adopt specific language without fully exploring the legal and practical challenges involved.  The Commission does note, however, that common consent mechanisms could be designed to meet the new Rule’s basic notice-and-consent requirements.

Alternatively, common consent mechanisms could be submitted for approval through the new voluntary approval process.  The new Rule encourages the development of new technologies to obtain parental consent.  Along with expressly allowing videoconferencing, alternative payment methods, scanned documents, and government-issued IDs to be used for registering consents, the new Rule establishes a voluntary 120-day notice and comment process for businesses seeking FTC approval for other consent mechanisms. 

Websites or Online Services Targeted to Children

The FTC expanded its list of characteristics for an online site or service that would render it directed to children, which includes a “totality of the circumstances” approach examining issues such as child-oriented activities, animated characters, music or audio content, presence of child celebrities and those who appeal to children, nature of  advertising and empirical evidence about the audience.  Even if an online site or service does not target children as its primary audience the FTC may view it as directed to children based on its application of the factors.  The FTC’s amended rule provides that if such services age screen prior to collection of “personal information” under the new definition and then follow notice-and-parental-consent requirements for those under 13, the services shall be deemed not to be directed to children. 

Accordingly, many general audience online sites or services attractive to children will be well-advised to age screen prior to the collection of personal information, which would include the setting of ad network cookies for behavioral advertising.    

Data Security Responsibilities for Collected Information

In the 2011 NPRM, the FTC proposed requiring operators to take reasonable measures to ensure that third parties receiving children’s information from the operators protect the confidentiality, security, and integrity of personal information collected from children.  The new Rule relaxes this obligation, requiring operators only to implement reasonable procedures to protect the confidentiality, security, and integrity of personal information.  Commenters on the proposed Rule argued that requiring operators to ensure the adequacy of third-party practices set an impossible-to-reach standard.  The FTC found merit in this, and will now require operators of child-directed services to inquire about the practices of their service providers and obtain assurances about the practices of third parties.  But they will not have to ensure that the third parties live up to those assurances. 

Webinar:  The IAPP will host a webinar on the new COPPA Rule on January 10, 2013, from 1 to 2:30 PM EST, moderated by Chris Wolf and Tim Tobin, partners in the Hogan Lovells Privacy and Information Management Practice, and featuring the lead FTC lawyers involved with the new Rule, Phyllis Marcus and Mamie Kresses.  To register, click here.